Putting Together the Pieces: A Concept for Holistic Industrial Intrusion Detection

TL;DR

This paper proposes a comprehensive industrial intrusion detection framework that integrates multiple methods to identify attacks across various industrial system layers, enhancing security in Industry 4.0 environments.

Contribution

It introduces a holistic concept combining diverse detection techniques tailored for different industrial environments and attack stages, based on experiments with real and synthetic data.

Findings

Different industrial layers require tailored detection methods.

The concept can identify various attack stages.

Experimental validation supports the approach.

Abstract

Besides the advantages derived from the ever present communication properties, it increases the attack surface of a network as well. As industrial protocols and systems were not designed with security in mind, spectacular attacks on industrial systems occurred over the last years. Most industrial communication protocols do not provide means to ensure authentication or encryption. This means attackers with access to a network can read and write information. Originally not meant to be connected to public networks, the use cases of Industry 4.0 require interconnectivity, often through insecure public networks. This lead to an increasing interest in information security products for industrial applications. In this work, the concept for holistic intrusion detection methods in an industrial context is presented. It is based on different works considering several aspects of industrial environments and their capabilities to identify intrusions as an anomaly in network or process data. These capabilities are based on preceding experiments on real and synthetic data. In order to justify the concept, an overview of potential and actual attack vectors and attacks on industrial systems is provided. It is shown that different aspects of industrial facilities, e.g. office IT, shop floor OT, firewalled connections to customers and partners are analysed as well as the different layers of the automation pyramid require different methods to detect attacks. Additionally, the singular steps of an attack on industrial applications are characterised. Finally, a resulting concept for integration of these methods is proposed, providing the means to detect the different stages of an attack by different means.